The "NET" command seems to be geared more towards AD and using it with AAD produces mixed/unexpected results.
Create a new Configuration Profile and choose Custom.
<accessgroup desc = "Administrators">
<group action = "U"/>
<add member = "AzureAD Group's SID"/>